Jump to content



Photo

Php error help


  • Please log in to reply
6 replies to this topic

#1 marklcfc

marklcfc

    Neowinian

  • Joined: 30-March 05

Posted 28 January 2013 - 20:37

I have came across an error on my website, I wondered if anyone could help? I have the word Banks O'Dee in my php database ($buyfrom) and I receive this error when accessing my page..

select location from opposition_team where opposition='Banks O'Dee'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Dee'' at line 1


And this is the code I use on my php page for this part

$q4="select location from opposition_team where opposition='$buyfrom'";
$qr4=mysql_query($q4,$ccppdbc)or die($q4.mysql_error());
$r4=mysql_fetch_object($qr4);
$location=$r4->location;

Can I not make this work without changing the word Banks O'Dee so it doesn't have the ' as I believe that is whats causing it.


#2 firey

firey

    F͎̗͉͎͈͑͡ȉ͎̣̐́ṙ͖̺͕͙̓̌è̤̞͉̟̲͇̍̍̾̓ͥͅy͓̍̎̌̏̒

  • Tech Issues Solved: 5
  • Joined: 30-October 05
  • Location: Ontario, Canada
  • OS: Windows 7
  • Phone: Android (4.1.2)

Posted 28 January 2013 - 20:51

php has a function addslashes you could do something like:

$q4="select location from opposition_team where opposition='" . addslashes($buyfrom) . "'";
$qr4=mysql_query($q4,$ccppdbc)or die($q4.mysql_error());
$r4=mysql_fetch_object($qr4);
$location=$r4->location;


#3 AnthonySterling

AnthonySterling

    Offering bad advice since 23-December 04.

  • Joined: 23-December 04
  • Location: North-East, UK

Posted 28 January 2013 - 20:51

You need to properly escape the value in the $buyfrom variable.
$buyfrom = mysql_escape_string($buyfrom);
/* code detailed above follows */


#4 Aergan

Aergan

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 24-September 05
  • Location: Staffordshire, UK
  • OS: Windows 8.1 Pro / Server 2012 R2 / Mint 16
  • Phone: Sony Xperia Z1

Posted 28 January 2013 - 21:02

You should always escape or validate variables before they are used in any form of query - leads to many issues and it's a great big security hole.

#5 OP marklcfc

marklcfc

    Neowinian

  • Joined: 30-March 05

Posted 28 January 2013 - 21:07

I used that escape line, the page loads but it appears as Banks O\'Dee instead of Banks O'Dee

Firey's works well though..

Edited by marklcfc, 28 January 2013 - 21:11.


#6 ITOps

ITOps

    Neowinian

  • Joined: 25-July 11

Posted 28 January 2013 - 21:13

I have came across an error on my website, I wondered if anyone could help? I have the word Banks O'Dee in my php database ($buyfrom) and I receive this error when accessing my page..



And this is the code I use on my php page for this part

$q4="select location from opposition_team where opposition='$buyfrom'";
$qr4=mysql_query($q4,$ccppdbc)or die($q4.mysql_error());
$r4=mysql_fetch_object($qr4);
$location=$r4->location;

Can I not make this work without changing the word Banks O'Dee so it doesn't have the ' as I believe that is whats causing it.


Hi marklcfc,

What others have said is true about needing to escape your queries, I would recommend the using mysql_real_escape_string function as mysql_escape_string has been depreciated since php 5.3 in June 30, 2009.

Since this is an issue showing up in your site there is also the possibility that there are other unescaped queries in your website application. I would recommend updating your code to use PDO and prepared statements to help increase the security of your site and help protect from SQL Injection.

I would also recommend validating your data before accepting it from the end user or from a storage system and using something like HTMLPurifier to run your data through to assist with XSS protection.

Please take some time checking out the OWASP Top 10 to get a good idea of some of the security issues to look into. This should help you review your current site security level and see where it needs to be improved.

#7 palenous

palenous

    Neowinian

  • Joined: 19-January 13
  • Location: Ohio, United States
  • OS: Windows 7 Ultimate
  • Phone: Samsung Galaxy SIII (Verizon)

Posted 29 January 2013 - 00:09

I used that escape line, the page loads but it appears as Banks O\'Dee instead of Banks O'Dee

Firey's works well though..


To fix this issue, you just need to run stripslashes on your strings before echoing them out:

$buyfrom = mysql_real_escape_string($buyfrom);
$q4="select location from opposition_team where opposition='" . $buyfrom . "'";
$qr4=mysql_query($q4,$ccppdbc)or die($q4.mysql_error());
$r4=mysql_fetch_object($qr4);
$location=stripslashes($r4->location);

The escaping is only necessary when inserting data into your database. Once you retrieve it, you can strip the slashes to return your data to normal. Hope that answers your questions!



Click here to login or here to register to remove this ad, it's free!